Date: 03/13 10:56:16 Name: (portscan) TCP Portsweep
Priority: n/a Type: n/a
IP info: 78.32.221.106:n/a -> 209.85.137.83:n/a
References: none found

I am using SmoothWall 3.
It appears as though I have been port scanning Google and a few other sites.
I tried to run GMER on all of my servers last night but one server hung.
I have F-Secure on all the PCs here but scanning is very slow on one server (the one that hung) and a laptop.

How is the best way to find where this is coming from? Could I set up TCPdump on the smothie's green nic to report the origin of the scan?
Could it be the smoothie itself has been compromised? :eek:

It does not seam to coincide with Google's spider.

HJT loged gopher prefix but I have never had a redirect:confused:

T.I.A.

I am using SmoothWall 3.
It appears as though I have been port scanning Google and a few other sites.
I tried to run GMER on all of my servers last night but one server hung.
I have F-Secure on all the PCs here but scanning is very slow on one server (the one that hung) and a laptop.

How is the best way to find where this is coming from? Could I set up TCPdump on the smothie's green nic to report the origin of the scan?
Could it be the smoothie itself has been compromised? :eek:

It does not seam to coincide with Google's spider.

HJT loged gopher prefix but I have never had a redirect:confused:

T.I.A.

are you sure it wasnt an outside port scan? those look like 2 external IP's

if you did a internal port to the net you would or should have gotten a classified IP > External IP IDS log entry would you not?


edit: also, keep in mind, people do sweeps on external IP's all the time to see what is happening or what they can get into.

Thanks for the reply gangaskan
78.32.221.106 is one of my public IPs


Date: 03/13 00:59:36 Name: SQL version overflow attempt
Priority: 1 Type: Attempted Administrator Privilege Gain
IP info: 221.233.242.4:2406 -> 78.32.221.106:1434
References: 1 2 3 4

That is an example of an incoming attack(one which is blocked by firewall and automatically blocks that IP for 5 days too)

Thanks for the reply gangaskan
78.32.221.106 is one of my public IPs


That is an example of an incoming attack(one which is blocked by firewall and automatically blocks that IP for 5 days too)

yup, sounds like someone was sweeping that range :) it happens all the time.

Yes but the port scan is coming from my IP and scanning Goolge.
I need to find where its originating in my network.
Just posted the SQL loged hack attempt as an example of in bound traffic.

Put wireshark on all the machines and give them a few minutes. Or you could run them all through a proxy with wireshark.

Yes but the port scan is coming from my IP and scanning Goolge.
I need to find where its originating in my network.
Just posted the SQL loged hack attempt as an example of in bound traffic.

Well personally I manage some IDS systems and get similar warnings when people open up firefox with a lot of saved tabs. There are so many simultaneous connections (sometimes to the same server) that it might mistake it for a portscan.

See if you can repeat it somehow with your own actions (I could). I don't think any troijans would be targeting google from your network.

Put wireshark on all the machines and give them a few minutes. Or you could run them all through a proxy with wireshark.

Ill try that thanks

Well personally I manage some IDS systems and get similar warnings when people open up firefox with a lot of saved tabs. There are so many simultaneous connections (sometimes to the same server) that it might mistake it for a portscan.

See if you can repeat it somehow with your own actions (I could). I don't think any troijans would be targeting google from your network.

that's a possibility, I hibernate my laptop with loads of tabs Its not on today so ill go check the logs now.

it could be an application checking that there is a live internet connection before it tries to do what it wants to do.